The Blue Coat web filter is one of the industry’s leading web filtering solutions. It provides the organization the ability to filter where their employee’s, vendors, customers or guests can go online.

The Blue Coat Web filter has an issue where it will display a base64 encoded URL in the following format http://blue_coat_name/?cfru=aHR0cDovL3d3dy5nb29nbGUuY29tLw== when it has an error.

This URL is displayed in the end users browser usually with a message relating to the issue. The encoded URL is the URL that the end user was trying to get to before the error occurred. In the URL above I was trying to access www.google.com.  To verify that we can use any base64 decoder, for this example I used an online version found at http://base64-encoder-online.waraxe.us/ .

All a malicious user would need to carry out an attack would be remote site that is hosting a malicious payload or an attack platform like Metasploit or Core Impact to host the malicious file. The attacker would than use a base64 encoder to encrypt the malicious URL and send the problematic link to the system administrator or any other end user. This attack could lead to a full system compromise depending on the payload and the rights of the user clicking the URL.

The limitation to this vulnerability is that DNS name and or IP of the Blue Coat web appliance will differ for the majority of companies. Though I bet there are at least a few companies out there that have named their Blue Coat web filter “proxy” or “webproxy”. By posting several of these generic names on the internet it may also be able to compromise other remote machines as well.

The question that I have to Blue Coat is why you would provide such functionality. Why don’t  just display the URL in clear text.

Vendor: Notified. I notified the vendor of this issue over three months ago and have not heard back from them regarding this threat. According to their website there has been no patches or core releases released since the ones I have listed below.

Version: PHPizabi 0.848b C1 HFP1 (Alicia)

Hot fixes: 848 Core HotFix Pack 3 0848bC1_HFP3.zip and below

Product Info:

“More than a simple script, dating script, or even just a matchmaker; PHPizabi is a feature rich social networking platform that integrates everything you need to jumpstart your community, dating site, or social networking portal right out of the box. PHPizabi is one of the most reliable, safe, and solid platforms on the market, offering your users features they could only dream of.”

Vulnerability:

In the default configuration and installation of this script the “system” dir is left open allowing indexing. When I discovered that the system dir was open I was able to download the configuration file that contained sensitive information about the site such as the database connection information including username and password.

To exploit

1)      Google: “Powered by PHPizabi”

2)      http://sitename.com/system/

3)      Download file open in editor.

Temp solutions:

1)      Add a .htacess to the system dir that says

a.       Options –Indexes

b.      Note this will not stop the attacker from using wget and http://sitename.com/system/config.inc.php from retrieving the file.

2)      Make sure that the database can only be accessed local.

a.       The host I had permission to test this on had the database open to remote connections.

Vendor should have the file die if trying to access it directly like they do if you try to access a file in the admin directory directly.

Tested on: This has been tested against my site www.xxxxxxxx.com I have done some edits to the code to protect my site and contacted the host about the database settings. Site address has been “X” out to protect it from people trying the attack against it.

Vulnerability Classification: Possible vulnerability in information disclosure and database integrity.

Thanks

Michael LaSalvia

www.digitaloffensive.com